Detections for the Axios supply chain compromise
A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators.
AI Analysis
Technical Summary
This threat involves a supply chain compromise of the Axios npm package versions 1.14.1 and 0.30.4, where a malicious transitive dependency (plain-crypto-js@4.2.1) is introduced. Upon installation, the malicious code executes and uses Node.js to spawn native OS shells to download and run remote payloads in a detached or hidden manner. The payloads differ by platform: a Python RAT on Linux, a PowerShell backdoor with persistence on Windows, and a Mach-O binary backdoor on macOS. All variants connect to a common command and control infrastructure, enabling host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. Detection is primarily behavioral, focusing on anomalous Node.js process behavior and network activity. There is no information on patches or vendor advisories, and no known exploits in the wild have been reported.
Potential Impact
The attack enables remote code execution and persistent backdoors across multiple operating systems via a compromised npm package dependency. This allows attackers to perform host fingerprinting, process and filesystem reconnaissance, and maintain long-term access through platform-specific backdoors. The compromise affects development environments or systems that install the vulnerable Axios package versions with the malicious dependency. The impact includes potential unauthorized control and data exposure on affected hosts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of official patches or advisories, users should avoid using the affected Axios package versions 1.14.1 and 0.30.4 until further notice. Monitoring for unusual Node.js process ancestry and remote payload retrieval behaviors can aid detection. Removal of the malicious transitive dependency and reinstalling packages from trusted sources is recommended. Follow vendor updates for official fixes or mitigations.
Indicators of Compromise
- hash: 7658962ae060a222c0058cd4e979bfa1
- hash: 7a9ddef00f69477b96252ca234fcbeeb
- hash: 8c782b59a786f18520673e8d669e3b0a
- hash: 90e8e227ba8bef0ea7e0212b5b1e0d4c
- hash: db7f4c82c732e8b107492cae419740ab
- hash: e56bafda15a624b60ac967111d227bf8
- hash: 07d889e2dadce6f3910dcbc253317d28ca61c766
- hash: 13ab317c5dcab9af2d1bdb22118b9f09f8a4038e
- hash: ae39c4c550ad656622736134035f17ca7a66a742
- hash: b0e0f12f1be57dc67fa375e860cedd19553c464d
- hash: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
- hash: dbd62d788ce8dcaa96116a73f70ee24813d59428
- hash: 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
- hash: 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
- hash: 6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7
- hash: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
- hash: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
- hash: e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
- hash: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
- ip: 142.11.206.73
- url: http://sfrclak.com:8000/6202033
- domain: process.name
- domain: sfrclak.com
- domain: process.parent.name
Detections for the Axios supply chain compromise
Description
A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a supply chain compromise of the Axios npm package versions 1.14.1 and 0.30.4, where a malicious transitive dependency (plain-crypto-js@4.2.1) is introduced. Upon installation, the malicious code executes and uses Node.js to spawn native OS shells to download and run remote payloads in a detached or hidden manner. The payloads differ by platform: a Python RAT on Linux, a PowerShell backdoor with persistence on Windows, and a Mach-O binary backdoor on macOS. All variants connect to a common command and control infrastructure, enabling host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. Detection is primarily behavioral, focusing on anomalous Node.js process behavior and network activity. There is no information on patches or vendor advisories, and no known exploits in the wild have been reported.
Potential Impact
The attack enables remote code execution and persistent backdoors across multiple operating systems via a compromised npm package dependency. This allows attackers to perform host fingerprinting, process and filesystem reconnaissance, and maintain long-term access through platform-specific backdoors. The compromise affects development environments or systems that install the vulnerable Axios package versions with the malicious dependency. The impact includes potential unauthorized control and data exposure on affected hosts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of official patches or advisories, users should avoid using the affected Axios package versions 1.14.1 and 0.30.4 until further notice. Monitoring for unusual Node.js process ancestry and remote payload retrieval behaviors can aid detection. Removal of the malicious transitive dependency and reinstalling packages from trusted sources is recommended. Follow vendor updates for official fixes or mitigations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections"]
- Adversary
- null
- Pulse Id
- 69d4e63921cbadb426b7cd2a
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash7658962ae060a222c0058cd4e979bfa1 | — | |
hash7a9ddef00f69477b96252ca234fcbeeb | — | |
hash8c782b59a786f18520673e8d669e3b0a | — | |
hash90e8e227ba8bef0ea7e0212b5b1e0d4c | — | |
hashdb7f4c82c732e8b107492cae419740ab | — | |
hashe56bafda15a624b60ac967111d227bf8 | — | |
hash07d889e2dadce6f3910dcbc253317d28ca61c766 | — | |
hash13ab317c5dcab9af2d1bdb22118b9f09f8a4038e | — | |
hashae39c4c550ad656622736134035f17ca7a66a742 | — | |
hashb0e0f12f1be57dc67fa375e860cedd19553c464d | — | |
hashd6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 | — | |
hashdbd62d788ce8dcaa96116a73f70ee24813d59428 | — | |
hash58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 | — | |
hash59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f | — | |
hash6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7 | — | |
hash92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a | — | |
hashe10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 | — | |
hashe49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff | — | |
hashed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip142.11.206.73 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://sfrclak.com:8000/6202033 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainprocess.name | — | |
domainsfrclak.com | — | |
domainprocess.parent.name | — |
Threat ID: 69d4eafdaaed68159a12948d
Added to database: 4/7/2026, 11:31:09 AM
Last enriched: 4/7/2026, 11:46:12 AM
Last updated: 4/8/2026, 12:41:48 AM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.